我一直在努力解决有关将 Azure B2C 与我的主要 Azure 租户的 API 集成的问题。这是场景: 设置:
az ad sp create --id some-custom-id-guid
,我在 TB2C 中创建了一个企业应用程序,它似乎已将我的 API 从 TMain 导入到 TB2C 中。现在,问题是: 鉴于我使用非常简单的代码进行了初步测试:
class Program
{
// Replace these values with your own
private const string ClientId = "TB2C-new-app-client-id";
private const string TenantName = "TB2C-Name";
private const string TenantId = "TB2C-ID";
private const string Authority = $"https://>TenantName <.b2clogin.com/tfp/>TenantName <.onmicrosoft.com/B2C_1_main";
private static readonly string[] Scopes = { "api://scope-from-enterpise-app-in-B2C/api.read" };
static async Task Main(string[] args)
{
try
{
// Create the MSAL confidential client application
var app = PublicClientApplicationBuilder
.Create(ClientId)
.WithAuthority(Authority)
.WithRedirectUri("http://localhost")
.Build();
// Acquire a token interactively
var result = await app.AcquireTokenInteractive(Scopes)
.ExecuteAsync();
// Display the access token
Console.WriteLine("Access Token:");
Console.WriteLine(result.AccessToken);
Console.WriteLine();
// Display the ID token
Console.WriteLine("ID Token:");
Console.WriteLine(result.IdToken);
}
catch (Exception ex)
{
Console.WriteLine($"An error occurred: {ex.Message}");
}
Console.WriteLine("\nPress any key to exit...");
Console.ReadKey();
}
}
使用 TMain 的全局管理员用户登录时,我无法请求自定义范围。
我收到的错误消息是:
AADB2C90117:不支持请求中提供的范围“api://scope-from-enterprise-app-in-B2C/api.read”。
所需的解决方案:
我的目标是以下架构之一:
选项A:
A single frontend and backend app, where both internal and B2C users can authenticate, with different backend scopes for each type of user.
选项B:
Two separate frontend apps connected to the same backend API, with each frontend app using different sets of permissions/scopes.
在这两种解决方案中,我都需要:
User impersonation.
Application-level permissions for the API.
Role-based authorization (roles must be included in the tokens from both providers).
问题:
Why am I unable to request the custom scope in TB2C when logging in with a user from TMain?
How can I set up either of the desired architectures while ensuring the correct permissions, roles, and user impersonation are in place?
任何指导或建议将不胜感激!
在 Azure AD 租户中创建了 后端应用程序
AADBackEnd
并添加了自定义角色和范围:
并在 Azure AD 租户中创建了一个 前端应用程序
AADFrontEnd
并授予 API 权限,如下所示:
在 Azure AD B2C 租户中创建后端应用程序 AADBackEnd
az login --tenant <B2CTenantID> --allow-no-subscriptions
az ad sp create --id <AADBackEndAppID>
现在我使用以下授权端点来授权Azure B2C租户中的
AADFrontEnd
应用程序:
https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?
&client_id=AADFrontEndAppID
&response_type=code
&redirect_uri=RedirectURL
&response_mode=query
&scope=api://AADBackEndAppID/.default
&state=12345
并使用 Azure B2C 租户管理员用户登录并单击“接受”:
在 Azure AD B2C 的企业应用程序中,存在两个应用程序
AADBackEnd
和 AADFrontEnd
:
确保 Azure AD B2C 租户中的
AADFrontEnd
已授予权限:
我在 Azure AD B2C 租户中创建了一个测试应用程序
B2CFE
并授予了 API 权限:
当尝试与您相同的代码时,出现相同的错误:
要解决该错误,范围
api://xx/scopename
不适用于权限https://<TenantName>.b2clogin.com/tfp/<TenantName>.onmicrosoft.com/B2C_1_main
,因为它是Azure AD范围,因此要使其工作,请将权限更改为https://login.microsoftonline.com/B2CtenantID
请注意,
AcquireTokenInteractive
仅适用于公共客户端应用程序,即重定向URL必须注册为移动和桌面应用程序并将允许公共客户端流设置为YES:
将 Azure AD B2C 租户
AADBackEnd
应用程序中的角色分配给用户:
如下修改authority并使用B2C用户登录:
class Program
{
private const string ClientId = "B2CFEClientID";
private const string TenantName = "Tenantname";
private const string TenantId = "B2CTenantID";
private const string Authority = $"https://login.microsoftonline.com/{TenantId}";
private static readonly string[] Scopes = { "api://***/api.read" };
static async Task Main(string[] args)
{
try
{
var app = PublicClientApplicationBuilder
.Create(ClientId)
.WithAuthority(Authority)
.WithRedirectUri("http://localhost")
.Build();
var result = await app.AcquireTokenInteractive(Scopes)
.ExecuteAsync();
Console.WriteLine("Access Token:");
Console.WriteLine(result.AccessToken);
Console.WriteLine();
Console.WriteLine("ID Token:");
Console.WriteLine(result.IdToken);
}
catch (MsalUiRequiredException ex)
{
Console.WriteLine($"User interaction required: {ex.Message}");
}
catch (MsalException ex)
{
Console.WriteLine($"MSAL error: {ex.Message}");
}
catch (Exception ex)
{
Console.WriteLine($"An unexpected error occurred: {ex.Message}");
}
Console.WriteLine("\nPress any key to exit...");
Console.ReadKey();
}
}
代币生成成功:
当显示解码的角色和 scp 声明时: